Securing Apache HTTP

Security is one of those things that is not absolute and the more you tighten, the more expensive it becomes without ever being completely impenetrable. So it is important to decide how much security is needed and how much to invest. On the most basic level, even if you haven’t anything valuable to protect, your computer resources can be stolen – files stored, spam sent, cpu used.

In any case, here are some important configurations that will help secure an Apache HTTP server.

1. First, make sure you’ve installed latest security patches

2. Hide the Apache Version number and other sensitive information

By default many Apache installations transmit the Apache version number, what OS/version and even what Apache Modules are running. It also sends the message that you running with most defaults. There are two directives that you can add in the httpd.conf file (or Vhost file if you’re running a vhost configuration):
ServerSignature Off
ServerTokens Prod

3. Make sure Apache is running under its own user account and group because often an attack comes from a different server services.

4. Ensure that files outside the web root are not served

Apache should not be allowed to access files out side of the web root. For example, assume the web content is all places under one directory (/www), the configuration will be as follows:
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /www>
Order Allow,Deny
Allow from all
</Directory>

Note that because I am setting Options None and AllowOverride None in the root, I will turn off all options and overrides for the server. I now have to add these directives explicitly for each directory that requires an Option or Override.

5. If you do not need directory browsing, turn it off by setting an Options directive inside a Directory tag to either None or -Indexes

Options -Indexes

6. If you do not need server side includes, turn it off by setting an Options directive inside a Directory tag to either None or -Includes

Options -Includes

7. If you do not need CGI, turn it off by setting an Options directive inside a Directory tag to either None or -ExecCGI

Options -ExecCGI

8. Don’t allow Apache to follow symbolic links, again by setting an Options directive inside a Directory tag to either None or -FollowSymLinks

Options -FollowSymLinks

9. Turn off support for .htaccess files by setting an AllowOverride directive inside a Directory tag to None.

AllowOverride None

If you require overrides make sure that the access file cannot be downloaded and change the access file’s name to something other than .htaccess. For example, change the access file name to .XOUToverride, and block all files that start with .XOUT from being downloaded as follows:

AccessFileName .XOUToverride

<Files ~ "^\.XOUT">
Order allow,deny
Deny from all
Satisfy All
</Files>

10. Disable unnecessary modules – Apache typically comes with several modules installed. Check out the Apache module documentation and learn what each module you have enabled actually does. Here are some modules that are typically not needed and should be disabled: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.

11. Only allow root to access Apache’s configuration and binaries. For example, if Apache’s installation is located at /usr/local/apache as follows:
chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache

12. Help mitigate the potential effects of a denial of service (DOS) attack by lowering the timeout value and limiting large requests.

By default the Timeout directive is set to 300 seconds.

Timeout 45

Apache has several directives that allow a limited request size. A good place to start is the LimitRequestBody directive, set to unlimited by default. If you are allowing file uploads of no larger than 1MB, you could set this setting to something like (if you’re not allowing file uploads at all, you can set it even smaller):

LimitRequestBody 1048576

Some other directives to look at are LimitRequestFields, LimitRequestFieldSize and LimitRequestLine. These directives are set to a reasonable defaults for most servers, but they can be tweak to better fit the requirements.

13. Apache has several configuration settings that can be used to limit concurrency. The MaxClients is the maximum number of child processes that will be created to serve requests. This may be set too high if your server doesn’t have enough memory to handle a large number of concurrent requests. Other directives such as MaxSpareServers, MaxRequestsPerChild, and on Apache2 ThreadsPerChild, ServerLimit, and MaxSpareThreads are important to adjust to match your operating system, and hardware.

14. If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your Apache configuration. For example, if you want to restrict access to an internal network, the 192.168 network:
Order Deny,Allow
Deny from all
Allow from 192.168.0.0/16

15. Finally, mod_security is a super handy Apache module written by Ivan Ristic, the author of Apache Security from O’Reilly press.